Implement a complete remote attestation for stboot'd servers. Include all identities of original architecture.

stauth can already remotely attest a OS package after booting, including its human-readable ID. What's missing is the data channel identity i.e. a signing key.

Secondly, the provisioning that need to be done in order for stauth to with is not done by stprov, but stauth. The code needs to be moved for a smoother UX. Afterwards the documentation needs to be updated.

This milestone also includes taking a stab at implementing remote enrollment of UEFI Secure Boot keys. Enabling UEFI setup mode can (maybe) be done using IPMI SoL and some regexp. The questions are

• are there libraries for SoL in go?
• is it reliable under bad network conditions?
• is the UEFI menu we're interacting with consistent enough to be automated?
• are there other ways to do it?

Once that is done, stprov can be extended to provision keys.

@kai is driving this milestone.

EDIT 2024-01-12: largely done but not actively worked on anymore, closing. Dropping system-transparency/core/stprov#28 because rgdd don't want stprov issues to be attached to obsolete milestones.